linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1425276] Re: The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: poy <1425276@xxxxxxxxxxxxxxxxxx>
Date: Sun, 22 Mar 2015 17:36:06 -0000
Reply-to: Bug 1425276 <1425276@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I think it should be decided at a protocol level how to handle these;
otherwise, programs would transmit information they have changed in ways
they thought were correct but based on their own rules, which may differ
from one program to the other.

Eg when browsing a file list, should DC++ transmit original names or its
modified ones? Only the former would be doable in the current state
(each program to its own), but that would mean having to store the names
twice.

I'd prefer we first define white / black lists of characters and the
transformations expected by peers (or rules on their output, so any
wrong name would be erroneous per the protocol). Then DC++ and other
programs will implement these.

Regarding NMDC, let's first handle ADC and derive what is needed from
there. I guess nicks will need specific thoughts (more than in ADC).

--
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1425276

Title:
The Unicode mirror character and possibly other similar ones can be
used for nick spoofing in ADC hubs

Status in DC++:
Confirmed

Bug description:
Basically what's described at http://stackoverflow.com/questions/3115204/unicode-mirror-character used by some recent malware to trick with file extensions seems to be working for DC++, too.
See the attached screenshot. It produces various other funny effects throughout the DC++ interface where the nick is displayed alone or in conjunction with other text/data.

For other possible problematic chars cologic suggests that anything in
http://www.fileformat.info/info/unicode/block/general_punctuation/list.htm
from U+2000 to U+206F inclusive is pretty suspect. Some look like they
have legitimate use, though, (U+2030 to U+205E inclusive, for
example). But, minimally, filtering out a few of the codepoints from
that block: LEFT-TO-RIGHT OVERRIDE (U+202D), RIGHT-TO-LEFT OVERRIDE
(U+202E), LEFT-TO-RIGHT EMBEDDING (U+202A), RIGHT-TO-LEFT EMBEDDING
(U+202B), POP DIRECTIONAL FORMATTING (U+202C), etc.

Also here's a handy list of possible other suspects:
http://kb.mozillazine.org/Network.IDN.blacklist_chars

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1425276/+subscriptions

References

[Bug 1425276] [NEW] The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs
From: eMTee, 2015-02-24